develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #128800] base.pm broken in Perl 5.24.1 rc2

Thread Previous | Thread Next
From:
Chris Travers via RT
Date:
August 3, 2016 02:27
Subject:
[perl #128800] base.pm broken in Perl 5.24.1 rc2
Message ID:
rt-4.0.18-25150-1470191223-411.128800-15-0@perl.org
Zefram:

No, you misunderstand me.  The point there is that prove is a nice way to demonstrate the vulnerability in test scripts and that test frameworks must be insecure by design (because otherwise they would block problems found in production systems.

Test frameworks are arbitrary code execution frameworks and it is important for administrators to secure them assuming that scripts run during the tests are vulnerable.  That's my point.  The focus of these posts is to look at full attack scenarios and what administrators can do to stop them.  Surely you would agree that administrators running test systems should assume that tested code may do require inside an eval.  Would you not agree?

My next blog post will be on the question of the security of pl/perlU stored procedures and user defined functions running in PostgreSQL.

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=128800

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About